I was surprised to read a news report tonight that Walmart.com had been hacked. Part of my surprise was due to the fact that mainstream media did not have the story but a site called SandhillsExpress.com in Nebraska was reporting it:

Ericka and Mike Hunt of Broken Bow were reviewing their bank account online this week and discovered a charge to Walmart.com for nearly $500.00 that they had not made. The Hunt’s contacted their bank, Wal-Mart’s Corporate Office, the Police Department in the town in Alabama where the order was to be shipped, and the local Police Department in Broken Bow. What they discovered is that someone has hacked in to the Wal-Mart records and stolen card numbers and personal information from several accounts. The Alabama Police Department told the Hunt’s that they were approximately the 15th phone call about the same problem. The Hunts were lucky to catch this problem quickly and were able to cancel the shipment and hope to have their money back soon. They also deleted their Wal-Mart account, which they had not used since last fall and changed passwords on all of their online accounts for precautionary reasons. They asked us to tell their story in hopes that no one else will be affected by this problem. We are awaiting a response from Wal-Mart’s Media Relations Department to get a comment on this issue.

I contacted Walmart tonight, and they promptly sent me the following statement by their spokesperson for eCommerce:

Customer privacy is a top priority to us. We’re aware of this particular matter and are working with the customer to help them resolve the situation. To be clear, there is no indication of an internal security breach of the Walmart.com system or accounts. In these situations, there are unrelated ways that third parties obtain user names and passwords, such as a phishing attack or by planting malware on users’ computers. Even in these situations, the full credit card number is not visible in a customer’s account. When we become aware of these matters, we work immediately with our customers to help them protect their online security.

Reporting that a large e-commerce site has been hacked when it hasn’t been can do unfair reputation harm to the business and make customers leery of shopping online there. I’m not sure how the Hunt’s “discovered” that someone had hacked Walmart’s server, but sometimes 2 + 2= 5.

2 Responses to “Walmart: no, there’s been no breach of walmart.com”

Except for the fact that several months out of 2012, there were literally hundreds of customers with accounts at walmart.com getting unauthorized charges on their credit cards, mainly for walmart products/purchases as well as charges for gift cards they never ordered. You can’t blame 90% of walmart’s customers for insecure passwords, particularly when a thief can get thousands with one hack job, therefore stealing data from thousands of customers who otherwise had strong passwords. In other words, Walmart had lack security measures that allowed hacking into their servers and compromising data. The same has happened at numerous large and popular online retailer sites, so the blaming of customers is moot, it’s the retailers who are at fault.

It also helps explain the unusual and multiple times that walmart.com online servers were down, down for maintenance, and down with no given reasons by walmart themselves. In two months, I have personally experienced downtime and database errors no less than 8 times. There’s something very very wrong and insecure about that. They have also had serious database errors during their checkout systems in the last few months, with absolutely no resolve, but the customer is at risk due to the insecure process.

Additionally, Walmart wants to blame the consumer for having phishing or malware on their systems, but fail to recognize that those customers who actually investigated, found that these issues were not present, the issues are, simply, Walmart does not protect your data.

Retailers have relationships with major credit card companies. Every single credit card company requires online retailers to DELETE confidential information (credit card data, like CVV) after each transaction is complete. But, retailers are not abiding by their associated credit card company’s rules. Still want to blame consumers for that too? Customers, banks, credit card companies, and police departments can’t all be wrong in this case!

SOmething was up on their site because on Jan 29, 2013 I got an email verifying an order I didn’t place. It was for an e-gift card and for legos (yep legos!) for pick up in Florida which is not the state I live in. I got the order cancelled since I caught it so quickly. Sadly, neither my credit card nor walmart seems to be pursuing this since no one was out any money.